Front-End and Back-End Architecture
Having
a front-end and back-end architecture allows you to manage Internet
access protocols on a server that is separate from servers where
mailbox and public folder stores are located. By splitting the
functionality between servers, front-end servers handle incoming client
connections while back-end servers are dedicated to running the mailbox
and public folder stores.
All
front-end and back-end servers must be in the same Active Directory
forest. With Exchange 2000 Server, front-end servers were required to
run the Enterprise Edition, but Exchange Server 2003, Standard Edition,
supports configuration as a front-end server. A characteristic of, and
in fact a requirement of, front-end servers is that they cannot host
any mailboxes or public folders—in other words, no mailbox or public
folder stores.
Benefits of Front-End and Back-End Architecture
Front-end and back-end architecture provides the following benefits:
Unified namespace In
a large organization with many Exchange servers, using front-end
servers simplifies the administration. The primary advantage of
front-end and back-end server architecture is the ability to have a
single, consistent namespace through which users can access their
mailboxes when there is more than one server (for example, http://www.contoso.com/exchange
for Outlook Web Access). Users do not need to know the names of the
servers that store their mailboxes, and if you want to move users’
mailboxes from one server to another, there is no need to reconfigure
the client computers.
Reduced overhead for SSL
When connections are made using Secure Sockets Layer (SSL), information
is encrypted and decrypted, which is processor-intensive and can
negatively affect server performance. In a front-end and back-end
configuration, the front-end server can process the encryption with the
client, and the front-end server and back-end servers communicate
without the overhead of SSL encryption. The result is improved
performance and a greater number of users that can be supported than if
you were using a single server.
Firewalls
You can place the back-end server behind a firewall that is configured
to allow only traffic from the front-end server. You can also place the
front-end server on or behind an Internet firewall that is configured
to allow Internet traffic only to the front-end server; the front-end
server provides an additional layer of security because it does not
contain user information. You can also configure the front-end server
to authenticate requests before sending them to the back-end server;
this configuration protects back-end servers from most denial of
service (DoS) attacks.
The
front-end server does not require much disk storage, but it should have
a fast central processing unit (CPU) and a large amount of memory. If
you enable SMTP on the front-end server, you should back up the hard
disks because SMTP commits queued mail to the local disk. In addition,
if the front-end server faces the Internet and accepts messages from
Internet users, ensure that you have adequate virus scanning installed
on the server.
Tip
To
increase performance, you can use an SSL accelerator card on the
front-end server, or you can position an external SSL accelerator
device between the clients and the front-end server. If you have a
small number of front-end servers, an SSL accelerator card is simple
and cost-effective. For a large number of servers, an external
accelerator is more cost-effective because you need to store and
configure an SSL certificate only once. |
Front-End and Back-End Scenarios
The following are scenarios in which front-end and back-end architecture is commonly used.
Standard Front-End and Back-End Topology
To
maintain a single namespace for e-mail servers while distributing users
among several servers, you could designate a single server as a
front-end server and have several back-end mailbox servers. In this
scenario, you direct HTTP, POP3, and IMAP4 users to the front-end
server and ensure that all virtual servers and virtual directories on
the front-end server are configured identically on the back-end
servers. By doing this, you could supply all external users with a
common mail server name to access without having to worry about which
server actually holds an individual’s mailbox. The front-end server
would communicate with the back-end server to find the appropriate
mailbox and transfer message data as necessary.
Front-End Server Behind the Firewall
One
of the biggest benefits of a front-end and back-end architecture is
with respect to making e-mail services available to Internet-based
users. A common e-mail service that Exchange Server provides is Outlook
Web Access (OWA), which integrates with IIS to make user mailboxes and
public folders available to users by accessing them through a Web
browser. To achieve security and still provide access to OWA, POP3, or
IMAP4 from the Internet, you can place the Exchange organization behind
the corporate firewall. At a minimum, the firewall must use port
filtering to protect the front-end server from the Internet. If your
firewall solution supports Internet Protocol (IP) address filtering,
you should configure IP address filtering to accept requests that are
directed to the front-end server and to block requests that are
directed to other servers in the organization. By using this type of
configuration, external users are unable to connect to anything except
the specific mail ports on the front-end server and are unable to
access the back-end servers (or other servers) directly. This provides
an additional level of security over the standard front-end and
back-end topology.
Load Balancing on the Front-End Server
To
provide a single namespace through which users can access mailboxes
while avoiding a bottleneck or single point of failure on the front-end
server, use Network Load Balancing to spread the load over multiple
front-end servers. The load-balancing solution you use should ensure
that each user is always sent to the same front-end server for the
duration of a session. Network Load Balancing requires the Enterprise
Edition of Windows 2000 Server or Windows Server 2003.